diff -up ./mod_nss.c.norego ./mod_nss.c --- ./mod_nss.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./mod_nss.c 2010-01-28 20:44:49.000000000 +0100 @@ -97,6 +97,14 @@ static const command_rec nss_config_cmds SSL_CMD_SRV(Nickname, TAKE1, "SSL RSA Server Certificate nickname " "(`Server-Cert'") +#ifdef SSL_ENABLE_RENEGOTIATION + SSL_CMD_SRV(Renegotiation, FLAG, + "Enable SSL Renegotiation (default off) " + "(`on', `off')") + SSL_CMD_SRV(RequireSafeNegotiation, FLAG, + "If Rengotiation is allowed, require safe negotiation (default off) " + "(`on', `off')") +#endif #ifdef NSS_ENABLE_ECC SSL_CMD_SRV(ECCNickname, TAKE1, "SSL ECC Server Certificate nickname " diff -up ./mod_nss.h.norego ./mod_nss.h --- ./mod_nss.h.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./mod_nss.h 2010-01-28 20:44:49.000000000 +0100 @@ -269,6 +269,10 @@ typedef struct { int tls; int tlsrollback; int enforce; +#ifdef SSL_ENABLE_RENEGOTIATION + int enablerenegotiation; + int requiresafenegotiation; +#endif const char *nickname; #ifdef NSS_ENABLE_ECC const char *eccnickname; @@ -383,6 +387,10 @@ const char *nss_cmd_NSSCipherSuite(cmd_p const char *nss_cmd_NSSVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSProtocol(cmd_parms *cmd, void *dcfg, const char *arg); const char *nss_cmd_NSSNickname(cmd_parms *cmd, void *dcfg, const char *arg); +#ifdef SSL_ENABLE_RENEGOTIATION +const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag); +const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag); +#endif #ifdef NSS_ENABLE_ECC const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, const char *arg); #endif diff -up ./nss_engine_config.c.norego ./nss_engine_config.c --- ./nss_engine_config.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./nss_engine_config.c 2010-01-28 20:44:49.000000000 +0100 @@ -78,6 +78,10 @@ static void modnss_ctx_init(modnss_ctx_t mctx->tls = PR_FALSE; mctx->tlsrollback = PR_FALSE; +#ifdef SSL_ENABLE_RENEGOTIATION + mctx->enablerenegotiation = PR_FALSE; + mctx->requiresafenegotiation = PR_FALSE; +#endif mctx->enforce = PR_TRUE; mctx->nickname = NULL; #ifdef NSS_ENABLE_ECC @@ -174,6 +178,10 @@ static void modnss_ctx_cfg_merge(modnss_ cfgMerge(eccnickname, NULL); #endif cfgMerge(enforce, PR_TRUE); +#ifdef SSL_ENABLE_RENEGOTIATION + cfgMerge(enablerenegotiation, PR_FALSE); + cfgMerge(requiresafenegotiation, PR_FALSE); +#endif } static void modnss_ctx_cfg_merge_proxy(modnss_ctx_t *base, @@ -461,6 +469,26 @@ const char *nss_cmd_NSSNickname(cmd_parm return NULL; } +#ifdef SSL_ENABLE_RENEGOTIATION +const char *nss_cmd_NSSRenegotiation(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->server->enablerenegotiation = flag ? PR_TRUE : PR_FALSE; + + return NULL; +} + +const char *nss_cmd_NSSRequireSafeNegotiation(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->server->requiresafenegotiation = flag ? PR_TRUE : PR_FALSE; + + return NULL; +} +#endif + #ifdef NSS_ENABLE_ECC const char *nss_cmd_NSSECCNickname(cmd_parms *cmd, void *dcfg, diff -up ./nss_engine_init.c.norego ./nss_engine_init.c --- ./nss_engine_init.c.norego 2010-01-28 20:42:14.000000000 +0100 +++ ./nss_engine_init.c 2010-01-28 20:48:42.000000000 +0100 @@ -548,6 +548,24 @@ static void nss_init_ctx_socket(server_r nss_die(); } } +#ifdef SSL_ENABLE_RENEGOTIATION + if (SSL_OptionSet(mctx->model, SSL_ENABLE_RENEGOTIATION, + mctx->enablerenegotiation ? + SSL_RENEGOTIATE_REQUIRES_XTN : SSL_RENEGOTIATE_NEVER + ) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Unable to set SSL renegotiation"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } + if (SSL_OptionSet(mctx->model, SSL_REQUIRE_SAFE_NEGOTIATION, + mctx->requiresafenegotiation) != SECSuccess) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Unable to set SSL safe negotiation"); + nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); + nss_die(); + } +#endif } static void nss_init_ctx_protocol(server_rec *s, diff -up ./nss.conf.in.norego ./nss.conf.in --- ./nss.conf.in.norego 20 Oct 2006 15:23:39 -0000 +++ ./nss.conf.in 18 Mar 2010 18:34:46 -0000 @@ -64,6 +64,17 @@ #NSSRandomSeed startup file:/dev/random 512 #NSSRandomSeed startup file:/dev/urandom 512 +# +# TLS Negotiation configuration under RFC 5746 +# +# Only renegotiate if the peer's hello bears the TLS renegotiation_info +# extension. Default off. +NSSRenegotiation off + +# Peer must send Signaling Cipher Suite Value (SCSV) or +# Renegotiation Info (RI) extension in ALL handshakes. Default: off +NSSRequireSafeNegotiation off + ## ## SSL Virtual Host Context ## diff -up ./nss_engine_log.c.norego ./nss_engine_log.c --- ./nss_engine_log.c.norego 17 Oct 2006 16:45:57 -0000 +++ ./nss_engine_log.c 18 Mar 2010 19:39:10 -0000 @@ -27,7 +27,7 @@ #define LIBSEC_ERROR_BASE (-8192) #define LIBSEC_MAX_ERROR (LIBSEC_ERROR_BASE + 155) #define LIBSSL_ERROR_BASE (-12288) -#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 102) +#define LIBSSL_MAX_ERROR (LIBSSL_ERROR_BASE + 114) typedef struct l_error_t { int errorNumber; @@ -296,7 +296,19 @@ { 99, "Server requires ciphers more secure than those supported by client" }, { 100, "Peer reports it experienced an internal error" }, { 101, "Peer user canceled handshake" }, - { 102, "Peer does not permit renegotiation of SSL security parameters" } + { 102, "Peer does not permit renegotiation of SSL security parameters" }, + { 103, "Server cache not configured" }, + { 104, "Unsupported extension" }, + { 105, "Certificate unobtainable" }, + { 106, "Unrecognized name" }, + { 107, "Bad certificate status" }, + { 108, "Bad certificate hash value" }, + { 109, "Unexpected new session ticket" }, + { 110, "Malformed new session ticket" }, + { 111, "Decompression failure" }, + { 112, "Renegotiation not allowed" }, + { 113, "Safe negotiation required but not provided by client" }, + { 114, "Unexpected uncompressed record" }, }; void nss_die(void)